[PATCH] NT Security Semantics

ZINKEVICIUS,MATT (HP-Loveland,ex1) matt_zinkevicius at hp.com
Thu Apr 4 19:13:02 GMT 2002

Hi gang,
Attached is the current version of the NT security semantics patch against
samba 2.2.3a.  A quick overview of what this patch does:

- Add VFS calls to support extended attributes
  - A reference VFS module for the XFS file system
    on Linux is included (in samba/examples/VFS/xfs_ea)
- Add VFS calls for DOS attributes
- Store/retrieve NT security descriptors using above EA calls
- Implement Win2k style inheritance for NT ACLs
- Enforce security using NT semantics instead of UNIX sematics
  - NOTE: This is a LARGE break from what samba currently
    does, which is to just rely on UNIX permissions.
- Modified the VFS to allow modules to override a subset
  of VFS calls, instead of overriding entire VFS.
  - Because of this change, all current VFS modules will not
    work unless upgraded to the new interface.
  - This part of the patch should be discarded once stackable
    VFS modules are implemented.

New smb.conf options: (all go in [global] section)
-store nt acls = True/False (default=False)
   - Store NT security descriptors using the new EA VFS calls
   - Note that the default implementation of these new EA VFS
     calls just returns an error. You must use a VFS module that
     overrides these calls.
-store dosmode = True/False (default=False)
   - Store DOS attributes using new VFS calls
-nt security semantics = True/False (default=False)
   - Security is enforced using NT semantics (effective permissions)
     instead of UNIX semantics.
   - Requires that "store nt acls" is true.
-sd cache size = ### (default=50)
   - For performance reasons a security descriptor cache is
     used. The number given to this option is the max number of
     security descriptors in cache at any given time. This number
     should be tuned for your specific workload.
   - Only applicable when "store nt acls" is true.

With all of these options at the defaults settings samba will work
100% the same you're used to.

Known bugs:
- During DACL auto-propagation on a directory, sometimes updated UNIX
  permissions may not be fully propagated down the entire tree.
- Usually the owner of a file always has change ACL permissions,
  but since samba opens a file before calling the VFS get_acl()
  we must also give the owner of a file full read permissions.
- Using the new NT ACL code is mutually exclusive to using POSIX
  ACLS in samba. I plan to fix this soon.
- At the VFS layer, there is not enough information about whether a
  file is being opened for just reading or for executing, therefore
  if a trustee has read permission they also have execute permission.

If anyone finds more problems let me know. This code is stable, as we
have been running it through full netbench benchmarks daily for
the last couple of months. The samba team is encouraged to incorporate
any parts of this patch that they deem worthy. I'm sorry this email
is light on details, especially since this is a large'ish patch. Feel
free to mail any questions to the list and I'll answer as soon as
Matt Zinkevicius
Software Engineer
Network Storage Array Solutions

-------------- next part --------------
A non-text attachment was scrubbed...
Name: samba-2.2.3a-ntss.patch.gz
Type: application/octet-stream
Size: 17594 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20020404/e6cf3627/samba-2.2.3a-ntss.patch.obj

More information about the samba-technical mailing list